Daily Tech Digest - September 04, 2017

Should CIOs take employees offline to improve security?

What's today's stressed IT manager to do? Continue to block, patch and hope? That approach is getting harder to justify, given the rate at which new vulnerabilities appear. The problem is compounded by the fact that there are almost certainly existing vulnerabilities that we – excluding certain national security services – don't know about. Does it still make sense for all of an enterprise to be online? The answer boils down to a cost-benefit analysis: What's the benefit of everyone being connected to the outside world?; and What's the potential cost in terms of hacking, loss of commercial secrets and downtime?  Until recently the benefit outweighed the cost, but now it's not so clear-cut, because some of the costs are hard to determine.


There is no such thing as a DR test failure

Testing your IT Disaster Recovery (DR) plan can be laborious, tedious and fraught with potential landmines. Case in point, that was my first exposure to DR way back in the ancient times of the early 1990’s. We were a mainframe shop, Big Blue, Amdahl, you know the beasts. Our infrastructure team had been performing annual DR tests for several years. These were the kind of tests where you rented space and equipment in some far-away datacenter for a finite amount of time, something like 36 hours. Within that window, you had fire up the mainframes, tape drives and disks, restore OS, middleware and all the utilities. This year was going to be different, however. This year, they actually wanted to recover an application. At the time, I was the lead contractor assigned to the order management applications.


Neato Robotics Adds More Smarts To Its Vacuum Cleaners

With Version 2.0 of its smartphone app, the company is adding the ability to program them via IFTTT.com (IF This, Then That). The web service can automatically trigger certain online actions depending on events or data gathered from other online sources. That will give owners of a connected Botvac a new way to trigger a cleaning session. Instead of pushing a button on the robot, or in the app, or setting a fixed schedule of days and times to clean, they will be able to use an IFTTT recipe to tell the robot to start cleaning as soon as their smart thermostat detects that the house is empty, for example. IFTTT's online calendar integration could trigger an extra clean the morning after a party or, for those with particularly muddy outdoor interests, the day after their calendar lists a hike in the woods or a moutain bike race, say.


Payment card security standard compliance and cyberattacks

When looking at the PCI controls that companies would be expected to have in place (such as security testing, penetration tests etc), the report found an increased ‘control gap,’ meaning that many of these basics were absent. In 2015, companies failing their interim assessment had an average of 12.4 percent of controls absent; this has increased to 13 percent in 2016. Simonetti continues, “It is no longer the question of ‘if’ data must be protected, but ‘how’ to achieve sustainable data protection. Many organisations still look at PCI DSS controls in isolation and don’t appreciate that they are inter-related – the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals – however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”


Five steps to a secure workforce

The first step in securing your employees is to understand what they do, and therefore what they need access to. By governing their privileges, you’ll be limiting their ability to do damage with your data, intentionally or unwittingly, without stopping them from doing their jobs. This begins with understanding who handles what in your organisation, and how. Analyse different employee roles. How many of them are there? Create a list and then assign responsibilities to each role, along with the level of information that they need access to when doing their job. Then, place individual job titles into these roles. This will be the basis for a least-privilege access model that gives employees access to the data they need on a need-to-know basis. After creating a framework for managing access, you must build security policies that use this framework to define employee behaviour and mitigate information security risk.


How to install and enable ModSecurity with NGINX on Ubuntu Server

ModSecurity is toolkit for real time web application monitoring, logging, and access control. This open source Web Application Firewall (WAF) module does an outstanding job of protecting web servers (Apache, NGINX, and IIS) from attacks that target potential vulnerabilities in various web applications. ModSecurity handles tasks like: Real-time application security monitoring and access control; Full HTTP traffic logging; Continuous passive security assessment; and Web application hardening. I want to walk you through the process of installing both ModSecurity and NGINX, so you can ensure your web server is better capable of standing up against certain attacks. The installation process is a bit complicated and handled completely through the command line.


Hacker hijacks police radio broadcast until cops call off car chase of armed robbers

During the car chase, an unknown person posing as a cop came over the police radio multiple times. The unauthorized voice reportedly interrupted so often that the real cops abandoned the chase. According to Triple M, “It's not known exactly what instructions were being given over the illegal broadcasts.” However, Victoria Police spokeswoman Lauren Kells said, “Throughout the incident there were a number of disruptions during the radio transmissions which are being investigated.” The police are now hunting for the person behind the pirate transmissions on emergency services radio; they believe they’ve narrowed down the area of the pirate transmission and asked citizens to come forward if anyone recognizes the radio hijacker’s voice.


Six Ways Agile Can Turn Static

This may be the Holy Grail, but this goal isn’t always possible. Idealistically speaking, agile development has all the right elements but it isn’t suitable for every project. Let’s consider how it works in the best case scenario.  Agile development accelerates the delivery of initial business value, and through a process of continuous planning and feedback. As a result of this iterative planning and feedback loop, teams are able to continuously align the delivered software with desired business needs, easily adapting to changing requirements throughout the process. Measuring and evaluating status is based on accurate visibility into the actual progress of projects through all of its stages with all of the project stakeholders. As a result of following an agile process, at the conclusion of a project the software system addresses business and customer needs better.


IT staffs see changing roles amid cloud UC

The shift to cloud significantly affects the organization and strategies of IT staffs. Surprisingly, companies moving to cloud are seeing increases in IT staffs, rather than decreases, according to Nemertes data. For some companies, this trend is temporary, as organizations add staff to manage the cloud transition while still supporting legacy infrastructure. But, for most companies, the additional staff brought on board -- to manage vendor relationships, deployments and training -- is often reassigned to business-facing roles.  Organizations moving to the cloud have seen a reduction of full-time equivalents dedicated to operations and technical support. These reductions were more than offset by increases in staff responsible for vendor relationship management, user awareness and adoption efforts, and business-IT liaison roles, leading to a 6% net increase of total staff.


Transforming from Autonomous to Smart: Reinforcement Learning Basics

Reinforcement Learning is for situations where you don’t have data sets with explicit known outcomes, but you do have a way to telling whether you are getting closer to your goal. ... Actions may affect immediate rewards but actions may also affect subsequent or longer-term rewards, so the full extent of rewards must be considered when evaluating the reinforcement learning effectiveness. Reinforcement learning is used to address two general problems: Prediction: How much reward can be expected for every combination of possible future states; and Control: By moving through all possible combinations of the environment, find a combination of actions that maximizes reward and allows for optimal control.



Quote for the day:


"Many people think great entrepreneurs take risks. Great entrepreneurs mitigate risks." -- Jal Tucher